CVE-2023-45894

10.0 CRITICAL

Remote Code Execution

📋 TL;DR

This critical vulnerability in Parallels Remote Application Server allows remote attackers to escape application virtualization and execute arbitrary code on the underlying server. Attackers can achieve this using standard kiosk breakout techniques. All organizations running vulnerable versions of Parallels RAS are affected.

💻 Affected Systems

Products:

• Parallels Remote Application Server

Versions: All versions before 19.2.23975

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default installation of Parallels RAS when virtualized applications are deployed.

📦 What is this software?

Remote Application Server by Parallels

View all CVEs affecting Remote Application Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Parallels RAS server leading to domain takeover, data exfiltration, and lateral movement throughout the network.

🟠

Likely Case

Remote code execution on the RAS server allowing installation of malware, credential theft, and persistence mechanisms.

🟢

If Mitigated

Limited impact if proper network segmentation and application whitelisting are implemented, though the server remains vulnerable to compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Standard kiosk breakout techniques are well-documented and can be adapted for this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.2.23975

Vendor Advisory: https://www.parallels.com/products/ras/remote-application-server/

Restart Required: Yes

Instructions:

1. Download Parallels RAS version 19.2.23975 or later from the official website. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the Parallels RAS service or server.

🔧 Temporary Workarounds

Disable Virtualized Applications

windows

Temporarily disable virtualized application publishing until patching can be completed.

Copy

Use Parallels RAS Console to disable all virtualized applications

Network Segmentation

all

Isolate Parallels RAS server from critical network segments and implement strict firewall rules.

🧯 If You Can't Patch

• Implement strict network segmentation to isolate the Parallels RAS server from critical assets
• Deploy application control/whitelisting on the RAS server to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Copy

Check Parallels RAS version in the administration console or via 'reg query "HKLM\SOFTWARE\Parallels\RAS" /v Version' on Windows.

Check Version:

Copy

reg query "HKLM\SOFTWARE\Parallels\RAS" /v Version

Verify Fix Applied:

Copy

Verify version is 19.2.23975 or higher in the administration console.

📡 Detection & Monitoring

Log Indicators:

• Unusual process creation events on RAS server
• Failed kiosk breakout attempts in application logs
• Unexpected PowerShell or command execution

Network Indicators:

• Unusual outbound connections from RAS server
• Traffic to known malicious IPs from RAS server

SIEM Query:

Copy

source="ParallelsRAS" AND (event_type="process_creation" AND process_name IN ("powershell.exe", "cmd.exe", "wmic.exe"))

📊 Metadata

CVE ID: CVE-2023-45894

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Published: December 14, 2023

Last Updated: November 21, 2024

🔗 References

• https://github.com/Oracle-Security/CVEs/blob/main/Parallels%20Remote%20Server/readme.md Third Party Advisory
• https://github.com/Oracle-Security/CVEs/blob/main/Parallels%20Remote%20Server/readme.md Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON